Description
Spring Security OAuth provides support for using Spring Security with OAuth (1a) and OAuth2 using standard Spring and Spring Security programming models and configuration idioms.
When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.
Remediation
Users of affected versions should apply the following mitigation:
- Users of 1.0.x should not use whitelabel views for approval and error pages
- Users of 2.0.x should either not use whitelabel views for approval and error pages or upgrade to 2.0.10 or later